2 // This file is part of the aMule Project.
4 // Copyright (c) 2003-2011 aMule Team ( admin@amule.org / http://www.amule.org )
5 // Copyright (c) 2002-2011 Merkur ( devs@emule-project.net / http://www.emule-project.net )
7 // Any parts of this program derived from the xMule, lMule or eMule project,
8 // or contributed by third-party developers are copyrighted by their
11 // This program is free software; you can redistribute it and/or modify
12 // it under the terms of the GNU General Public License as published by
13 // the Free Software Foundation; either version 2 of the License, or
14 // (at your option) any later version.
16 // This program is distributed in the hope that it will be useful,
17 // but WITHOUT ANY WARRANTY; without even the implied warranty of
18 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 // GNU General Public License for more details.
21 // You should have received a copy of the GNU General Public License
22 // along with this program; if not, write to the Free Software
23 // Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
26 /* Basic Obfuscated Handshake Protocol UDP:
27 see EncryptedStreamSocket.h
29 ****************************** ED2K Packets
31 - Keycreation Client <-> Client:
32 - Client A (Outgoing connection):
33 Sendkey: Md5(<UserHashClientB 16><IPClientA 4><MagicValue91 1><RandomKeyPartClientA 2>) 23
34 - Client B (Incoming connection):
35 Receivekey: Md5(<UserHashClientB 16><IPClientA 4><MagicValue91 1><RandomKeyPartClientA 2>) 23
36 - Note: The first 1024 Bytes will be _NOT_ discarded for UDP keys to save CPU time
39 -> The handshake is encrypted - except otherwise noted - by the Keys created above
40 -> Padding is currently not used for UDP meaning that PaddingLen will be 0, using PaddingLens up to 16 Bytes is acceptable however
41 Client A: <SemiRandomNotProtocolMarker 7 Bits[Unencrypted]><ED2K Marker 1Bit = 1><RandomKeyPart 2[Unencrypted]><MagicValue 4><PaddingLen 1><RandomBytes PaddingLen%16>
43 - Additional Comments:
44 - For obvious reasons the UDP handshake is actually no handshake. If a different Encryption method (or better a different Key) is to be used this has to be negotiated in a TCP connection
45 - SemiRandomNotProtocolMarker is a Byte which has a value unequal any Protocol header byte. This is a compromise, turning in complete randomness (and nice design) but gaining a lower CPU usage
46 - Kad/Ed2k Marker are only indicators, which possibility could be tried first, and should not be trusted
48 ****************************** Server Packets
50 - Keycreation Client <-> Server:
51 - Client A (Outgoing connection client -> server):
52 Sendkey: Md5(<BaseKey 4><MagicValueClientServer 1><RandomKeyPartClientA 2>) 7
53 - Client B (Incoming connection):
54 Receivekey: Md5(<BaseKey 4><MagicValueServerClient 1><RandomKeyPartClientA 2>) 7
55 - Note: The first 1024 Bytes will be _NOT_ discarded for UDP keys to save CPU time
58 -> The handshake is encrypted - except otherwise noted - by the Keys created above
59 -> Padding is currently not used for UDP meaning that PaddingLen will be 0, using PaddingLens up to 16 Bytes is acceptable however
60 Client A: <SemiRandomNotProtocolMarker 1[Unencrypted]><RandomKeyPart 2[Unencrypted]><MagicValue 4><PaddingLen 1><RandomBytes PaddingLen%16>
62 - Overhead: 8 Bytes per UDP Packet
64 - Security for Basic Obfuscation:
65 - Random looking packets, very limited protection against passive eavesdropping single packets
67 - Additional Comments:
68 - For obvious reasons the UDP handshake is actually no handshake. If a different Encryption method (or better a different Key) is to be used this has to be negotiated in a TCP connection
69 - SemiRandomNotProtocolMarker is a Byte which has a value unequal any Protocol header byte. This is a compromise, turning in complete randomness (and nice design) but gaining a lower CPU usage
71 ****************************** KAD Packets
73 - Keycreation Client <-> Client:
74 - Client A (Outgoing connection):
75 Sendkey: Md5(<KadID 16><RandomKeyPartClientA 2>) 18
76 - Client B (Incoming connection):
77 Receivekey: Md5(<KadID 16><RandomKeyPartClientA 2>) 18
78 - Note: The first 1024 Bytes will be _NOT_ discarded for UDP keys to save CPU time
81 -> The handshake is encrypted - except otherwise noted - by the Keys created above
82 -> Padding is currently not used for UDP meaning that PaddingLen will be 0, using PaddingLens up to 16 Bytes is acceptable however
83 Client A: <SemiRandomNotProtocolMarker 7 Bits[Unencrypted]><Kad Marker 1Bit = 0><RandomKeyPart 2[Unencrypted]><MagicValue 4><PaddingLen 1><RandomBytes PaddingLen%16><ReceiverVerifyKey 2><SenderVerifyKey 2>
85 - Overhead: 12 Bytes per UDP Packet
87 - Additional Comments:
88 - For obvious reasons the UDP handshake is actually no handshake. If a different Encryption method (or better a different Key) is to be used this has to be negotiated in a TCP connection
89 - SemiRandomNotProtocolMarker is a Byte which has a value unequal any Protocol header byte. This is a compromise, turning in complete randomness (and nice design) but gaining a lower CPU usage
90 - Kad/Ed2k Marker are only indicators, which possibility could be tried first, and should not be trusted
93 #include "EncryptedDatagramSocket.h"
96 #include "Preferences.h"
97 #include "RC4Encrypt.h"
98 #include "./kademlia/kademlia/Prefs.h"
99 #include "./kademlia/kademlia/Kademlia.h"
100 #include "RandomFunctions.h"
101 #include "Statistics.h"
103 #include <protocol/Protocols.h>
104 #include <common/MD5Sum.h>
107 #include "CryptoPP_Inc.h" // Needed for Crypto functions
109 #define CRYPT_HEADER_WITHOUTPADDING 8
110 #define MAGICVALUE_UDP 91
111 #define MAGICVALUE_UDP_SYNC_CLIENT 0x395F2EC1
112 #define MAGICVALUE_UDP_SYNC_SERVER 0x13EF24D5
113 #define MAGICVALUE_UDP_SERVERCLIENT 0xA5
114 #define MAGICVALUE_UDP_CLIENTSERVER 0x6B
116 CEncryptedDatagramSocket::CEncryptedDatagramSocket(amuleIPV4Address
&address
, wxSocketFlags flags
, const CProxyData
*proxyData
)
117 : CDatagramSocketProxy(address
, flags
, proxyData
)
120 CEncryptedDatagramSocket::~CEncryptedDatagramSocket()
123 int CEncryptedDatagramSocket::DecryptReceivedClient(uint8_t *bufIn
, int bufLen
, uint8_t **bufOut
, uint32_t ip
, uint32_t *receiverVerifyKey
, uint32_t *senderVerifyKey
)
128 if (receiverVerifyKey
== NULL
|| senderVerifyKey
== NULL
) {
133 *receiverVerifyKey
= 0;
134 *senderVerifyKey
= 0;
136 if (result
<= CRYPT_HEADER_WITHOUTPADDING
/*|| !thePrefs.IsClientCryptLayerSupported()*/) {
142 case OP_KADEMLIAPACKEDPROT
:
143 case OP_KADEMLIAHEADER
:
144 case OP_UDPRESERVEDPROT1
:
145 case OP_UDPRESERVEDPROT2
:
147 return result
; // no encrypted packet (see description on top)
152 // might be an encrypted packet, try to decrypt
153 CRC4EncryptableBuffer receivebuffer
;
155 // check the marker bit which type this packet could be and which key to test first, this is only an indicator since old clients have it set random
156 // see the header for marker bits explanation
157 uint8_t currentTry
= ((bufIn
[0] & 0x03) == 3) ? 1 : (bufIn
[0] & 0x03);
159 if (Kademlia::CKademlia::GetPrefs() == NULL
) {
160 // if kad never run, no point in checking anything except for ed2k encryption
168 receivebuffer
.FullReset();
172 if (currentTry
== 0) {
173 // kad packet with NodeID as key
175 if (Kademlia::CKademlia::GetPrefs()) {
177 Kademlia::CKademlia::GetPrefs()->GetKadID().StoreCryptValue((uint8_t *)&keyData
);
178 memcpy(keyData
+ 16, bufIn
+ 1, 2); // random key part sent from remote client
179 md5
.Calculate(keyData
, sizeof(keyData
));
181 } else if (currentTry
== 1) {
185 md4cpy(keyData
, thePrefs::GetUserHash().GetHash());
186 keyData
[20] = MAGICVALUE_UDP
;
187 PokeUInt32(keyData
+ 16, ip
);
188 memcpy(keyData
+ 21, bufIn
+ 1, 2); // random key part sent from remote client
189 md5
.Calculate(keyData
, sizeof(keyData
));
190 } else if (currentTry
== 2) {
191 // kad packet with ReceiverKey as key
193 if (Kademlia::CKademlia::GetPrefs()) {
195 PokeUInt32(keyData
, Kademlia::CPrefs::GetUDPVerifyKey(ip
));
196 memcpy(keyData
+ 4, bufIn
+ 1, 2); // random key part sent from remote client
197 md5
.Calculate(keyData
, sizeof(keyData
));
203 receivebuffer
.SetKey(md5
, true);
204 receivebuffer
.RC4Crypt(bufIn
+ 3, (uint8_t*)&value
, sizeof(value
));
205 ENDIAN_SWAP_I_32(value
);
207 currentTry
= (currentTry
+ 1) % 3;
208 } while (value
!= MAGICVALUE_UDP_SYNC_CLIENT
&& tries
> 0); // try to decrypt as ed2k as well as kad packet if needed (max 3 rounds)
210 if (value
== MAGICVALUE_UDP_SYNC_CLIENT
) {
211 // yup this is an encrypted packet
212 // // debugoutput notices
213 // // the following cases are "allowed" but shouldn't happen given that there is only our implementation yet
214 // if (bKad && (pbyBufIn[0] & 0x01) != 0)
215 // DebugLog(_T("Received obfuscated UDP packet from clientIP: %s with wrong key marker bits (kad packet, ed2k bit)"), ipstr(dwIP));
216 // else if (bKad && !bKadRecvKeyUsed && (pbyBufIn[0] & 0x02) != 0)
217 // DebugLog(_T("Received obfuscated UDP packet from clientIP: %s with wrong key marker bits (kad packet, nodeid key, recvkey bit)"), ipstr(dwIP));
218 // else if (bKad && bKadRecvKeyUsed && (pbyBufIn[0] & 0x02) == 0)
219 // DebugLog(_T("Received obfuscated UDP packet from clientIP: %s with wrong key marker bits (kad packet, recvkey key, nodeid bit)"), ipstr(dwIP));
222 receivebuffer
.RC4Crypt(bufIn
+ 7, (uint8_t*)&padLen
, 1);
223 result
-= CRYPT_HEADER_WITHOUTPADDING
;
225 if (result
<= padLen
) {
226 //DebugLogError(_T("Invalid obfuscated UDP packet from clientIP: %s, Paddingsize (%u) larger than received bytes"), ipstr(dwIP), byPadLen);
227 return bufLen
; // pass through, let the Receivefunction do the errorhandling on this junk
231 receivebuffer
.RC4Crypt(NULL
, NULL
, padLen
);
238 //DebugLogError(_T("Obfuscated Kad packet with mismatching size (verify keys missing) received from clientIP: %s"), ipstr(dwIP));
239 return bufLen
; // pass through, let the Receivefunction do the errorhandling on this junk;
241 // read the verify keys
242 receivebuffer
.RC4Crypt(bufIn
+ CRYPT_HEADER_WITHOUTPADDING
+ padLen
, (uint8_t*)receiverVerifyKey
, 4);
243 receivebuffer
.RC4Crypt(bufIn
+ CRYPT_HEADER_WITHOUTPADDING
+ padLen
+ 4, (uint8_t*)senderVerifyKey
, 4);
244 ENDIAN_SWAP_I_32(*receiverVerifyKey
);
245 ENDIAN_SWAP_I_32(*senderVerifyKey
);
249 *bufOut
= bufIn
+ (bufLen
- result
);
251 receivebuffer
.RC4Crypt((uint8_t*)*bufOut
, (uint8_t*)*bufOut
, result
);
252 theStats::AddDownOverheadCrypt(bufLen
- result
);
253 return result
; // done
255 //DebugLogWarning(_T("Obfuscated packet expected but magicvalue mismatch on UDP packet from clientIP: %s"), ipstr(dwIP));
256 return bufLen
; // pass through, let the Receivefunction do the errorhandling on this junk
260 // Encrypt packet. Key used:
261 // clientHashOrKadID != NULL -> clientHashOrKadID
262 // clientHashOrKadID == NULL && kad && receiverVerifyKey != 0 -> receiverVerifyKey
264 int CEncryptedDatagramSocket::EncryptSendClient(uint8_t **buf
, int bufLen
, const uint8_t *clientHashOrKadID
, bool kad
, uint32_t receiverVerifyKey
, uint32_t senderVerifyKey
)
266 wxASSERT(theApp
->GetPublicIP() != 0 || kad
);
267 wxASSERT(thePrefs::IsClientCryptLayerSupported());
268 wxASSERT(clientHashOrKadID
!= NULL
|| receiverVerifyKey
!= 0);
269 wxASSERT((receiverVerifyKey
== 0 && senderVerifyKey
== 0) || kad
);
271 uint8_t padLen
= 0; // padding disabled for UDP currently
272 const uint32_t cryptHeaderLen
= padLen
+ CRYPT_HEADER_WITHOUTPADDING
+ (kad
? 8 : 0);
273 uint32_t cryptedLen
= bufLen
+ cryptHeaderLen
;
274 uint8_t *cryptedBuffer
= new uint8_t[cryptedLen
];
275 bool kadRecvKeyUsed
= false;
277 uint16_t randomKeyPart
= GetRandomUint16();
278 CRC4EncryptableBuffer sendbuffer
;
281 if ((clientHashOrKadID
== NULL
|| CMD4Hash(clientHashOrKadID
).IsEmpty()) && receiverVerifyKey
!= 0) {
282 kadRecvKeyUsed
= true;
284 PokeUInt32(keyData
, receiverVerifyKey
);
285 PokeUInt16(keyData
+4, randomKeyPart
);
286 md5
.Calculate(keyData
, sizeof(keyData
));
287 //DEBUG_ONLY( DebugLog(_T("Creating obfuscated Kad packet encrypted by ReceiverKey (%u)"), nReceiverVerifyKey) );
289 else if (clientHashOrKadID
!= NULL
&& !CMD4Hash(clientHashOrKadID
).IsEmpty()) {
291 md4cpy(keyData
, clientHashOrKadID
);
292 PokeUInt16(keyData
+16, randomKeyPart
);
293 md5
.Calculate(keyData
, sizeof(keyData
));
294 //DEBUG_ONLY( DebugLog(_T("Creating obfuscated Kad packet encrypted by Hash/NodeID %s"), md4str(pachClientHashOrKadID)) );
297 delete [] cryptedBuffer
;
303 md4cpy(keyData
, clientHashOrKadID
);
304 PokeUInt32(keyData
+16, theApp
->GetPublicIP());
305 PokeUInt16(keyData
+21, randomKeyPart
);
306 keyData
[20] = MAGICVALUE_UDP
;
307 md5
.Calculate(keyData
, sizeof(keyData
));
310 sendbuffer
.SetKey(md5
, true);
312 // create the semi random byte encryption header
313 uint8_t semiRandomNotProtocolMarker
= 0;
315 for (i
= 0; i
< 128; i
++) {
316 semiRandomNotProtocolMarker
= GetRandomUint8();
317 semiRandomNotProtocolMarker
= kad
? (semiRandomNotProtocolMarker
& 0xFE) : (semiRandomNotProtocolMarker
| 0x01); // set the ed2k/kad marker bit
319 // set the ed2k/kad and nodeid/recvkey markerbit
320 semiRandomNotProtocolMarker
= kadRecvKeyUsed
? ((semiRandomNotProtocolMarker
& 0xFE) | 0x02) : (semiRandomNotProtocolMarker
& 0xFC);
322 // set the ed2k/kad marker bit
323 semiRandomNotProtocolMarker
= (semiRandomNotProtocolMarker
| 0x01);
327 switch (semiRandomNotProtocolMarker
) { // not allowed values
329 case OP_KADEMLIAPACKEDPROT
:
330 case OP_KADEMLIAHEADER
:
331 case OP_UDPRESERVEDPROT1
:
332 case OP_UDPRESERVEDPROT2
:
345 // either we have _real_ bad luck or the randomgenerator is a bit messed up
347 semiRandomNotProtocolMarker
= 0x01;
350 cryptedBuffer
[0] = semiRandomNotProtocolMarker
;
351 PokeUInt16(cryptedBuffer
+ 1, randomKeyPart
);
353 uint32_t magicValue
= ENDIAN_SWAP_32(MAGICVALUE_UDP_SYNC_CLIENT
);
354 sendbuffer
.RC4Crypt((uint8_t*)&magicValue
, cryptedBuffer
+ 3, 4);
355 sendbuffer
.RC4Crypt((uint8_t*)&padLen
, cryptedBuffer
+ 7, 1);
357 for (int j
= 0; j
< padLen
; j
++) {
358 uint8_t byRand
= (uint8_t)rand(); // they actually don't really need to be random, but it doesn't hurt either
359 sendbuffer
.RC4Crypt((uint8_t*)&byRand
, cryptedBuffer
+ CRYPT_HEADER_WITHOUTPADDING
+ j
, 1);
363 ENDIAN_SWAP_I_32(receiverVerifyKey
);
364 ENDIAN_SWAP_I_32(senderVerifyKey
);
365 sendbuffer
.RC4Crypt((uint8_t*)&receiverVerifyKey
, cryptedBuffer
+ CRYPT_HEADER_WITHOUTPADDING
+ padLen
, 4);
366 sendbuffer
.RC4Crypt((uint8_t*)&senderVerifyKey
, cryptedBuffer
+ CRYPT_HEADER_WITHOUTPADDING
+ padLen
+ 4, 4);
369 sendbuffer
.RC4Crypt(*buf
, cryptedBuffer
+ cryptHeaderLen
, bufLen
);
371 *buf
= cryptedBuffer
;
373 theStats::AddUpOverheadCrypt(cryptedLen
- bufLen
);
377 int CEncryptedDatagramSocket::DecryptReceivedServer(uint8_t* pbyBufIn
, int nBufLen
, uint8_t **ppbyBufOut
, uint32_t dwBaseKey
, uint32_t /*dbgIP*/)
379 int nResult
= nBufLen
;
380 *ppbyBufOut
= pbyBufIn
;
382 if (nResult
<= CRYPT_HEADER_WITHOUTPADDING
|| !thePrefs::IsServerCryptLayerUDPEnabled() || dwBaseKey
== 0) {
386 if(pbyBufIn
[0] == OP_EDONKEYPROT
) {
387 return nResult
; // no encrypted packet (see description on top)
390 // might be an encrypted packet, try to decrypt
391 uint8_t achKeyData
[7];
392 PokeUInt32(achKeyData
, dwBaseKey
);
393 achKeyData
[4] = MAGICVALUE_UDP_SERVERCLIENT
;
394 memcpy(achKeyData
+ 5, pbyBufIn
+ 1, 2); // random key part sent from remote server
396 CRC4EncryptableBuffer receivebuffer
;
397 MD5Sum
md5(achKeyData
, sizeof(achKeyData
));
398 receivebuffer
.SetKey(md5
,true);
401 receivebuffer
.RC4Crypt(pbyBufIn
+ 3, (uint8_t*)&dwValue
, sizeof(dwValue
));
402 ENDIAN_SWAP_I_32(dwValue
);
403 if (dwValue
== MAGICVALUE_UDP_SYNC_SERVER
) {
404 // yup this is an encrypted packet
405 //DEBUG_ONLY( DebugLog(_T("Received obfuscated UDP packet from ServerIP: %s"), ipstr(dbgIP)) );
407 receivebuffer
.RC4Crypt(pbyBufIn
+ 7, (uint8_t*)&byPadLen
, 1);
409 nResult
-= CRYPT_HEADER_WITHOUTPADDING
;
411 if (nResult
<= byPadLen
) {
412 //DebugLogError(_T("Invalid obfuscated UDP packet from ServerIP: %s, Paddingsize (%u) larger than received bytes"), ipstr(dbgIP), byPadLen);
413 return nBufLen
; // pass through, let the Receivefunction do the errorhandling on this junk
417 receivebuffer
.RC4Crypt(NULL
, NULL
, byPadLen
);
421 *ppbyBufOut
= pbyBufIn
+ (nBufLen
- nResult
);
422 receivebuffer
.RC4Crypt((uint8_t*)*ppbyBufOut
, (uint8_t*)*ppbyBufOut
, nResult
);
424 theStats::AddDownOverheadCrypt(nBufLen
- nResult
);
425 return nResult
; // done
427 //DebugLogWarning(_T("Obfuscated packet expected but magicvalue mismatch on UDP packet from ServerIP: %s"), ipstr(dbgIP));
428 return nBufLen
; // pass through, let the Receivefunction do the errorhandling on this junk
432 int CEncryptedDatagramSocket::EncryptSendServer(uint8_t** ppbyBuf
, int nBufLen
, uint32_t dwBaseKey
)
434 wxASSERT( thePrefs::IsServerCryptLayerUDPEnabled() );
435 wxASSERT( dwBaseKey
!= 0 );
437 uint16_t nRandomKeyPart
= GetRandomUint16();
439 uint8_t achKeyData
[7];
440 PokeUInt32(achKeyData
, dwBaseKey
);
441 achKeyData
[4] = MAGICVALUE_UDP_CLIENTSERVER
;
442 PokeUInt16(achKeyData
+ 5, nRandomKeyPart
);
443 MD5Sum
md5(achKeyData
, sizeof(achKeyData
));
444 CRC4EncryptableBuffer sendbuffer
;
445 sendbuffer
.SetKey(md5
, true);
447 // create the semi random byte encryption header
448 uint8_t bySemiRandomNotProtocolMarker
= 0;
451 for (i
= 0; i
< 128; i
++) {
452 bySemiRandomNotProtocolMarker
= GetRandomUint8();
453 if (bySemiRandomNotProtocolMarker
!= OP_EDONKEYPROT
) { // not allowed values
459 // either we have _real_ bad luck or the randomgenerator is a bit messed up
461 bySemiRandomNotProtocolMarker
= 0x01;
464 uint8_t byPadLen
= 0; // padding disabled for UDP currently
465 uint32_t nCryptedLen
= nBufLen
+ byPadLen
+ CRYPT_HEADER_WITHOUTPADDING
;
466 uint8_t* pachCryptedBuffer
= new uint8_t[nCryptedLen
];
468 pachCryptedBuffer
[0] = bySemiRandomNotProtocolMarker
;
469 PokeUInt16(pachCryptedBuffer
+ 1, nRandomKeyPart
);
471 uint32_t dwMagicValue
= ENDIAN_SWAP_32(MAGICVALUE_UDP_SYNC_SERVER
);
472 sendbuffer
.RC4Crypt((uint8_t*)&dwMagicValue
, pachCryptedBuffer
+ 3, 4);
474 sendbuffer
.RC4Crypt((uint8_t*)&byPadLen
, pachCryptedBuffer
+ 7, 1);
476 for (int j
= 0; j
< byPadLen
; j
++){
477 uint8_t byRand
= (uint8_t)rand(); // they actually don't really need to be random, but it doesn't hurt either
478 sendbuffer
.RC4Crypt((uint8_t*)&byRand
, pachCryptedBuffer
+ CRYPT_HEADER_WITHOUTPADDING
+ j
, 1);
480 sendbuffer
.RC4Crypt(*ppbyBuf
, pachCryptedBuffer
+ CRYPT_HEADER_WITHOUTPADDING
+ byPadLen
, nBufLen
);
482 *ppbyBuf
= pachCryptedBuffer
;
484 theStats::AddUpOverheadCrypt(nCryptedLen
- nBufLen
);